Two cybersecurity companies providing firewall plugins for WordPress sites have detected attacks using a zero-day vulnerability in a popular WordPress plugin.
At least two groups of hackers have been observed using a zero-day flaw to change a site’s settings, create malicious admin accounts to use as backdoors, and then hijack traffic from the hacked sites.
Note that following the publication of this information, it appears that a second zero-day flaw is used by hackers to take control of WordPress sites. This second zero-day flaw impacts the Social Warfare plugin, which the WordPress team had temporarily removed from the main repository of WordPress plugins, pending an update from its developer.
Table of Contents
A zero day flaw in a plugin exploited before the release of a patch
The zero day flaw used by these two groups is present in the Wordpress plugin “Easy WP SMTP”, a plugin that has over 300,000 active installations. The main functionality of the plugin is to allow site owners to configure SMTP settings for outgoing emails from their servers.
Attacks using this zero day flaw were first spotted last Friday, March 15, by NinTechNet, the company behind the Ninja firewall for WordPress. The problem was reported to the plugin’s author, who fixed the zero-day flaw on Sunday, March 17, with the release of v1.3.9.1.
The attacks didn’t stop though, they continued throughout the week, with hackers trying to take over as many sites as they could before the site owners applied the patch.
How the attacks unfolded
Defiant, the cybersecurity company that runs the Wordfence WordPress firewall, said it continued to detect the attacks even after the patch was released. In a report released earlier today, the company explained how the two hacker groups were operating.
According to Defiant, the attacks exploit an export/import settings feature that was added to the Easy WP SMTP plugin in version 1.3.9. According to Defiant, the hackers found in this new import/export feature an opportunity to change the general settings of a site, not just those related to the plugin.
Hackers are currently searching for sites that use this plugin and then changing the settings to allow user registration, an operation that many WordPress site owners have disabled for security reasons.
In early attacks spotted by NinTechNet, hackers modified the “wp_user_roles” option that controls the permissions of the “subscriber” role on WordPress sites, giving a subscriber the same rights as an administrator account.
This means that hackers register new accounts that appear as subscribers in the WordPress site database, but actually have the permissions and capabilities of an administrator account.
In later attacks detected by Defiant, the hackers changed their modus operandi and started changing the “default_role” parameter instead of “wp_user_roles”. This parameter controls the account type of newly registered users. In this new attack, all newly created accounts are admin accounts.
This latest attack routine is now the one used by both hacker groups, according to Defiant.
“Both campaigns are launching their initial attacks in an identical fashion, using an exploit PoC detailed in the original NinTechNet vulnerability disclosure. These attacks match the PoC exactly, right down to the checksum,” said Defiant security researcher Mikey Veenstra.
But that’s where the similarities between the two groups end. Defiant said the first of the two groups stops all activity after creating an admin account on hacked sites, while the second group is much more aggressive. Veenstra said the second group modifies hacked sites to redirect incoming visitors to malicious sites, the most common theme being tech support scam sites.
Fixing vulnerable sites
All sites that use the Easy WP SMTP plugin are encouraged to update to the latest version, v1.3.9.1. After updating the plugin, NinTechNet and Defiant recommend auditing the user section of sites for newly added accounts, both at the subscriber and administrator level.
Updating to the latest version of the plugin is recommended, as WordPress security firm White Fir Design, which also published a report on these attacks, has also documented other security flaws in the same plugin that could be used.
In all of this, a strong criticism must be levelled at the WordPress forum moderation team, which seems to have been more concerned about forum users using the term “zero-day”, than about the attack itself.
The WordPress forum moderation team has a long pedigree of censoring and minimizing security issues. It has in the past left users of some plugins unaware of unpatched vulnerabilities and ongoing attacks, sometimes deleting topics from the WP forums.
A report released this year by cybersecurity firm Sucuri found that 90% of all hacked content management systems (CMS) are WordPress sites.